Kim Dotcom opened his new file locker service—simply called “Mega”—to the public on Saturday afternoon Central Time. Mega’s public launch comes one year to the day since the US shuttered Dotcom’s Megaupload.

Ars was given a preview look at the new Mega service, which offers end-to-end encryption of files and seeks to circumvent the possibility of another high-level raid by allowing a diverse range of companies and individuals to set up servers and host users' files. Encrypted files stored with Mega will be duplicated and stored with multiple hosts for redundancy protection.

Dotcom announced the opening of Mega from his Twitter feed, saying the site had more than 100,000 registered users in less than one hour. Ars experienced some slowing when trying to set up an account, but we were ultimately able to register within five minutes.

“Site is still overloaded. Massive demand. Incredible. I am so happy. Thank you for using ‪#Mega.” Dotcom tweeted at 1pm CST.

According to last night's interview with Ars freelancer Chris Keall, Mega is launching on the servers of a professional hosting company for now, a subsidiary of the German-based Cogent. But Dotcom says he already has more than 1,000 responses to his call for expressions of interest in hosting Mega content. Obviously, having a professional hosting company on board helped with the launch. “Wow. I have never seen anything like this. From 0 to 10 Gigabit bandwidth utilization within 10 minutes” Dotcom wrote.

Promoted Comments

I found this statement on browsers on their site. It seems all browsers have some problems and IE 10 and Chrome are both pretty good.

Quote:

A word on browsers

MEGA pushes the browser to its limits, and these limits vary. While it does work with all major current browsers, there are some weighty feature and performance differences:

Google Chrome: The leading browser, by far. It implements the proposed HTML5 FileSystem API, allowing for fancy features such as recursive folder uploads and efficient downloads. Caveats: Requires user permission to batch-write files after a few unattended completed downloads (for security reasons, and only once per session). Slightly anaemic text rendering.

Internet Explorer 10: A solid, modern browser with blazing JavaScript performance (even exceeding Chrome's). However, until Microsoft fixes a memory leak in the Blob saving functionality, you have to close and reopen the MEGA tab every couple of hundred megabytes of inbound file transfer. And, until Microsoft implements disk-based Blobs or Chrome's FileWriter API, memory usage for a file download peaks at twice the file's size - hardly efficient.

I can't really think of any online service or game that didn't have some kind of tragi-comic implosion on launch day. It's just not something you can really prepare for; if you server & bandwidth up to meet expected launch demand, you've got a wasteful surplus of capacity when launch demand dies and "normal" demand starts. If you hedge stay realistic and buy to expected demand and not launch peak, your service craps its pants.

CDNs and temporary data centers can only help so much. As with anything "cloud", at some point it becomes a question of real servers and real pipes.

The surprising thing to me is that this seems like a fairly simple idea, and I wonder why it hasn't been done before.

Until we get more details about the implementation of the encryption, it doesn't seem like there's anything fundamentally unique about Mega... other than them giving out a shit-ton of space for free. More competition is always good, though... Maybe it'll encourage Dropbox to up their offerings a bit.

Stored XSS attacks left and right, there’s only a single password-box at signup but no way to change or recover your password after registration (which is probably due to the nature of the design) and this gem of a quote on the API developer page:

Quote:

(it is also our first JavaScript project, so please bear with us).

Not very confidence inspiring coming from a company that wants to hold my personal data.I have to say that the UI looks quite decent and the concept has potential. We'll see how it pans out.

100k registrations in the first hour, over quarter of a million and counting now...! He's getting "DDoS'ed" by people scrambling to check out the new Mega, bet quite a few businesses wouldnt mind getting bombarded like that!

The surprising thing to me is that this seems like a fairly simple idea, and I wonder why it hasn't been done before.

Until we get more details about the implementation of the encryption, it doesn't seem like there's anything fundamentally unique about Mega... other than them giving out a shit-ton of space for free. More competition is always good, though... Maybe it'll encourage Dropbox to up their offerings a bit.

A couple privacy-related questions:1. Where is the private key stored? Mega claims to not have access to it but it automatically created a key pair and I was never prompted to save it. Is it in a cookie or local storage? I clear these regularly so would I then lose my private key?2. How does the deduping work if everything's encrypted? I suppose there could be client-side hashing sent unencrypted to the server.

I found this statement on browsers on their site. It seems all browsers have some problems and IE 10 and Chrome are both pretty good.

Quote:

A word on browsers

MEGA pushes the browser to its limits, and these limits vary. While it does work with all major current browsers, there are some weighty feature and performance differences:

Google Chrome: The leading browser, by far. It implements the proposed HTML5 FileSystem API, allowing for fancy features such as recursive folder uploads and efficient downloads. Caveats: Requires user permission to batch-write files after a few unattended completed downloads (for security reasons, and only once per session). Slightly anaemic text rendering.

Internet Explorer 10: A solid, modern browser with blazing JavaScript performance (even exceeding Chrome's). However, until Microsoft fixes a memory leak in the Blob saving functionality, you have to close and reopen the MEGA tab every couple of hundred megabytes of inbound file transfer. And, until Microsoft implements disk-based Blobs or Chrome's FileWriter API, memory usage for a file download peaks at twice the file's size - hardly efficient.

A couple privacy-related questions:1. Where is the private key stored? Mega claims to not have access to it but it automatically created a key pair and I was never prompted to save it. Is it in a cookie or local storage? I clear these regularly so would I then lose my private key?

I'm still reading the Developer docs (as mentioned up thread), but here's my understanding so far:

To log in, you supply your password (shocking, I know!), which is hashed, and sent to the server. In response, Mega will send back your private key (RSA, 2048 bits), which is encrypted with your master key. The master key is actually derived from your password (not sure what algorithm, but something like PBKDF2 would work very well), and it's used locally to decrypt the private key.

This, of course, raises the question of what happens if you forget your password?... which, at least from what I've seen so far, the answer appears to be you're screwed. It sounds like this could be fairly secure, but hopefully a variety of people in the security community will dig in to their implementation, trying to find any weaknesses... long as all encryption is done client side, this should actually be fairly secure (assuming you're not sent malicious HTML/JS, which could just send back your password/Master Key... but, a non-web app client wouldn't have that problem).